This is another special blog written by Matt Gardenghi!

My boss passed around a document about database security in the cloud.  It raised issues about proper monitoring of the DB, but offered no solutions.

This got me thinking.  I hate it when that happens.  Its like an automatic “boss button” that I can’t switch off.  /gah

For the sake of argument, let’s assume we are discussing VMs hosted on some provider’s (Amazon) VMWare ESX cluster.  This could really apply to any VM on any company’s specific VM host, but VMWare is big, popular, and a good basis to work from.  Let’s say, some marketing exec bought a package that would hold data on a machine in the cloud.  (You may shoot him later; right now, you have to deal with the issues of integration into your secure environment.)

Greetings!

Today seemed like a fun day to write about a really cool vector for cross-site scripting I found. In my testing, this attack is pretty specific and, in some ways, useless, but I strongly suspect that, with resources I don’t have access to, this can trigger stored cross-site scripting in some pretty nasty places. But I’ll get to that!

Interestingly enough, between the time that I wrote this blog/tool and published it, nCircle researchers have said almost the same thing (paper (pdf)). The major difference is, I released a tool to do it and demonstrate actual examples.

I am not a forensics expert, nor do I play one on TV. I do, however, play one at work from time to time and I own some of the key tools: a magnifying glass and a 10baseT hub. Oh, and a Sherlock Holmes hat – that’s the key. Unfortunately, these weren’t much help when I was handed a pile of drives and was asked to find out which version of Windows they had been running. I wasn’t allowed to boot them, and I couldn’t really find the full answer of how to get the version after a lot of googling, so I figured it out the hard way. Hopefully I can save you guys some time by explaining it in detail.

And if there’s a better way, which I’m sure there is, please let me know. I don’t doubt that I did this the hard way – that’s kinda my thing.

The order of events is, basically:

• Step 1: Copy the system's registry hive to your analysis system
• Step 2: Mount the registry hive in regedit.exe
• Step 3: Navigate to the OS version in regedit.exe
• Step 4: Unmount the registry hive.

If you know how to do all that, then thanks for reading! Check back Tuesday for a brand new blog posting! I have an interesting blog that combines DNS and cross-site scripting lined up.

Otherwise, keep reading. Or just look at the pictures.

There are the usual XSS tests.  And then there are the fun ones.  This is a story about a more exotic approach to testing XSS….

I was testing a company that had passed all XSS tests from their pentester.  I found that they allowed users to write HTML tags.  Of course they didn’t permit <script> tags or <iframe> tags.  (Well, they did allow those, but that was an oops - no server side filtering.)  This company had whitelisted a variety of “safe” tags for use by clients.

That’s boring, right?  Heh, thanks to Ron, I had a way to abuse their whitelist.  (I’ve since found this in Web Application Hackers Handbook, but I seem to have overlooked it at the time I read it.)  Three HTML 4 tags in particular allow javascript to be run from one of the elements and these are: <img>, <object>, and <style>.

Hey all,

In honour of this special day, I’m releasing an Nmap script I wrote a few months ago as a challenge: http-california-plates.nse. To install it, ensure you’re at the latest svn version of Nmap (I fixed a bug in http.lua last night that prevented this from working, so only the svn version as of today will work), download http-california-plates.nse, and install it.

So, I realized that the reCAPTCHA plugin for Wordpress sucks was marking a lot of comments as spam, when it was actually working and not getting timeout errors (thanks to my egress filtering). I decided to toss it out and go with a math-based CAPTCHA for posts, so you should once again be able to post comments reliably! I’m hoping that by customizing the math CAPTCHA to use different field names/numbers, it should eliminate the same amount of spam that reCAPTCHA did.

Also worth noting: at the moment, registration isn’t going to work because I don’t have email set up. I’ll post an update to that when it’s going again. It shouldn’t matter, though, registration isn’t required to comment.

I also added an infobox on the side (–>) with information about the author of the post, since I’ve been taking turns with my buddy Matt Gardenghi lately. Now you can see who posted what.

If anything isn’t working, or you’d like some feature/widget/whatever that I don’t currently have, let me know!

Ron

Now that we know what we need to send and receive, and how it’s encoded, let’s generate the actual packet. Then, once we’re sure it’s working, we’ll convert it into an Nmap probe! In most of this section, I assume you’re running Linux, Mac, or some other operating system with a built-in compiler and useful tools (gcc, hexdump, etc). If you’re on Windows, you’ll probably just have to follow along until I generate the probe.

In Part 2: runtime analysis, we discovered some important addresses in the Energizer Trojan – specifically, the addresses that make the call to recv() data. Be sure to read that section before reading this one.

Now that we have some starting addresses, we can move on to a disassembler and look at what the code’s actually doing. Fortunately, the author made no attempt to disguise the code or pack or or anything like that, so a simple disassembler is all we need to examine the code.

A word of warning: this is the longest, most complicated section. But stick with it, by the end we’ll know exactly how the Trojan ticks!

In Part 1: setup, we infected the system with the Trojan. It should still be running on the victim machine. If you haven’t read that section, I strongly recommend you go back and read it.

Now that we’ve infected a test machine, the goal of this step is to experiment a little with the debugger and learn a little about the Energizer Trojan. This can all be discovered with a simple disassembler, but I find it more fun to take apart a live sample. All we’re going to do is add a breakpoint at the recv() function and see where it’s called from.

This step is going to require Debugging Tools for Windows. If you haven’t installed it already, install it on the victim machine.

Hey all,

As most of you know, a Trojan was recently discovered in the software for Energizer’s USB battery charger. Following its release, I wrote an Nmap probe to detect the Trojan and HDMoore wrote a Metasploit module to exploit it.

I mentioned in my last post that it was a nice sample to study and learn from. The author made absolutely no attempt to conceal its purpose, once installed, besides a weak XOR encoding for communication. Some conspiracy theorists even think this may have been legitimate management software gone wrong – and who knows, really? In any case, I offered to write a tutorial on how I wrote the Nmap probe, and had a lot of positive feedback, so here it is!

Just be sure to take this for what it is. This is not intended to show any new methods or techniques or anything like that. It’s a reverse engineering guide targeted, as much as I could, for people who’ve never opened IDA or Windbg in their lives. I’d love to hear your comments!

This is yet another guest post from our good friend Matt Gardenghi! If you enjoy this one, don’t forget to check his last one: Trusting the Browser (a ckeditor short story).

Often, I hear arguments that go like this: real hackers write code and exploits; everyone else is a script-kiddie.

That is a dumb argument from all sorts of levels.  For starters, those who make this observation are usually those who can write code.  Therefore, everyone who can’t meet their personal standards/abilities as a coder are “skiddies” who demean the profession.

I find it intriguing that everyone defines the basis for a good pentester by their own capabilities.  Clearly you think that you are good and it’s normal to think that everyone will want to be good just like you.  Consequently, they should all do as you do, right?  Wrong.  We need diversity of backgrounds, skills, and opinions.  It’s healthy not to inbreed (intellectually or otherwise).

Hey all,

I’ve been letting other projects slip these last couple weeks because I was excited about converting dnscat into shellcode (or “weaponizing dnscat”, as I enjoy saying). Even though I got into the security field with reverse engineering and writing hacks for games, I have never written more than a couple lines of x86 at a time, nor have I ever written shellcode, so this was an awesome learning experience. Most people start by writing shellcode that spawns a local shell; I decided to start with shellcode that implements a dnscat client in under 1024 bytes (for both Linux and Windows). Like I always say, go big or go home!

This is going to be a fun post that’s related to some of my password work. Some of the text may not be PG13, so parental discretion is advised.

As most of you know, I’ve been collecting password lists. In addition to normal password lists that are useful in bruteforcing, I have a (so far) lame collection of non-hacking dictionaries. Things like cities, English words, etc.

There was a time when the biggest dictionary I had, weighing in at 6.4mb, was a German wordlist. 6.4mb doesn’t sound like much, but at the time I was on a DSL connection; with about 400kbit upstream (on a good day), I could feel every download.

Yes, I’m still working on making the ultimate password list. And I don’t mean the 16gb one I made by taking pretty much every word or word-looking string on the Internet when I was a kid; that was called ultimater dictionary. No; I mean one that is streamlined, sorted, and will make Nmap the bruteforce tool of the future!

My name is Matt Gardenghi. Ron seems to think it important that this post be clearly attributed to someone else (this fact might worry me). I’m an occasional contributor here (see: Bypassing AV). I handle security at Bob Jones University and also perform pentests on the side. (So if you need someone to do work, here’s my shameless plug.) I have acquired the oddly despised CISSP and the more respectable GCFA, GPEN, and GWAPT.

I know a company that purchased some Web 2.0 services.  We’ll leave it at that, to protect the guilty.  :-p

So, one day a bored user decided that the editor used on the site was annoying.  He used GreaseMonkey to replace the editor with his preferred editor.  This was “Clue #1” that a problem existed with the Web 2.0 service.

Hey,

I don’t usually write two posts in one day, but today is a special occasion! I was reading my news feeds (well, my co-op student (ie, intern) was – I was doing paperwork), and noticed a story about a remote backdoor being included with the Energizer UsbCharger software</a>. Too funny!

Hey everybody!

As you probably know, I’ve been working hard on generating and evaluating passwords. My last post was all about Rockyou.com’s passwords; next post will (probably) be about different groups of passwords from my just updated password dictionaries page. This will be a little different, though.

Hey all,

As some of you know, I’ve been working on collecting leaked passwords/other dictionaries. I spent some time this week updating my wiki’s password page. Check it out and let me know what I’m missing, and I’ll go ahead and mirror it.

I’ve had a couple new developments in my password list, though. Besides having an entirely new layout, I’ve added some really cool data!

Hey all,

I’m really excited to announce the first release of a tool I’ve put a lot of hard work into: dnscat.

It’s being released, along with a bunch of other tools that I’ll be blogging about, as part of nbtool 0.04.

Hey all,

Just a quick note – I updated my blog template a bit. On the right, I added some new links and I added some info about myself at the top. I also added “previous” and “next” links above the posts. Hopefully these changes make it easier to get around. Let me know if I broke anything in the process!

That’s all for today! Ron